Re: Increasing ICMP Echo Requests

From: Logan Rogers-Follis - TNTNetworx.net (loganat_private)
Date: Tue Aug 19 2003 - 13:23:47 PDT

Next message: Henderson, Dennis K.: "RE: mod to "killblast.vbs" script"

Previous message: Mark Medici: "RE: Software vendor clueless"
In reply to: Bruce Martins: "RE: Increasing ICMP Echo Requests"
Next in thread: Kevin Patz: "Re: Increasing ICMP Echo Requests"
Reply: Kevin Patz: "Re: Increasing ICMP Echo Requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My questions is then.  How does it get into a secure network other than 
e-mail, when nop machines are taken in and out fo the network?  It has 
to spread orignally through something other than TFTP...?

Bruce Martins wrote:

>Well this virus doesn't spread through e-mail so whether or not having
>AV software on a mail server would not really matter in this case as it
>exploits the same vulnerability that the original MSBLAST worm did, then
>patches it, the real problem is that some people aren't heading the
>warnings and patching their machines when a patch is released for a very
>serious vulnerability like this one, same thing happened with the SQL
>slammer worm, people had more then enough time to test and apply this
>patch but didn't but hey just my 2 cents 
>
>
>Bruce Martins
>Systems Administrator
>EXTEND>>MEDIA
>190 Liberty Street
>Toronto, Ontario
>Canada
>M6K 3L5
>_______________________
>e:bmartinsat_private
>t: (416) 535-4222 ext. 2307
>f: (416) 535-1201
>http://www.extend.com
>
>
>-----Original Message-----
>From: Logan Rogers-Follis - TNTNetworx.net [mailto:loganat_private]
>
>Sent: Tuesday, August 19, 2003 3:34 PM
>To: Bruce Martins
>Cc: Kevin Patz; incidentsat_private
>
>My company had this virus (an unprotected computer - now secured - let
>it in), and within 10 min. it had sent 6MB worth of ICMP out of our
>network and it was totally messing up our 1.5MB SDSL line and ruining
>our VPN.  I used the Norton tool and fix them all, but I do know this
>thing is horrible (I just iwsh every company had a AV on there mail
>server - that would help stop some of this).
>
>Logan
>
>Bruce Martins wrote:
>
>  
>
>>As I think this has already been posted here that it would seem that 
>>this may be part of the new so called "good" worm if that in fact 
>>really is one, which seems to patch the machine once infected and 
>>removes any traces of the previous worm as well as itself on January 1,
>>    
>>
>
>  
>
>>2004, this does create a lot of traffic as it does search for other 
>>vulnerable machines, is this a good or bad thing ? Did the writer of 
>>this do it to help remove the infection and spread of the previous worm
>>    
>>
>
>  
>
>>or some other hidden agenda ?
>>
>>Mcafee link
>>http://us.mcafee.com/virusInfo/default.asp?id=nachi
>>
>>Symantec Link
>>http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.wor
>>m
>>.html
>>
>>
>>
>>Bruce Martins
>>Systems Administrator
>>EXTEND>>MEDIA
>>190 Liberty Street
>>Toronto, Ontario
>>Canada
>>M6K 3L5
>>_______________________
>>e:bmartinsat_private
>>t: (416) 535-4222 ext. 2307
>>f: (416) 535-1201
>>http://www.extend.com
>>
>>
>>-----Original Message-----
>>From: Kevin Patz [mailto:jambo_catat_private]
>>Sent: Monday, August 18, 2003 4:46 PM
>>To: incidentsat_private
>>
>>In-Reply-To: <3F411CBC.2020203at_private>
>>
>>Upon reading of this, I enabled logging of ping
>>
>>requests on my firewall.  So far I've only seen three
>>
>>with len=92:
>>
>>
>>
>>24.64.90.16 (Shaw Communcations)
>>
>>24.60.234.130 (Comcast, formerly attbi)
>>
>>24.61.246.103 (Comcast, formerly attbi)
>>
>>
>>
>>My IP is on Comcast, formerly attbi, on a 24.62 IP
>>
>>range.  I also have some pings with len=60 but they
>>
>>look more like "normal" ICMP echo requests.
>>
>>
>>
>> 
>>
>>    
>>
>>>Ken,
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>We're seeing the same ICMP pattern.
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>Is this from the blaster? We are looking into
>>>   
>>>
>>>      
>>>
>>filtering ICMP echo
>>
>> 
>>
>>    
>>
>>>request on our external routers.
>>>   
>>>
>>>      
>>>
>> 
>>
>>
>> 
>>
>>    
>>
>>>Here is a snip from our IDS,
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>[Classification: Misc activity] [Priority: 3]
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>[Xref => http://www.whitehats.com/info/IDS154]
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>Event ID: 179333     Event Reference: 0
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>08/18/03-18:27:28.386411 65.83.120.72 -> xx.xx.xx.xx
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>ICMP TTL:118 TOS:0x0 ID:21399 IpLen:20 DgmLen:92
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>Type:8  Code:0  ID:2   Seq:61261  ECHO
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
>>>   
>>>
>>>      
>>>
>>AA  ................
>>
>> 
>>
>>    
>>
>>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
>>>   
>>>
>>>      
>>>
>>AA  ................
>>
>> 
>>
>>    
>>
>>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
>>>   
>>>
>>>      
>>>
>>AA  ................
>>
>> 
>>
>>    
>>
>>>AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
>>>   
>>>
>>>      
>>>
>>AA  ................
>>
>> 
>>
>>
>> 
>>
>>
>> 
>>
>>    
>>
>>>Thanks
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>Daniel Williams
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>Cedar Document Technologies
>>>   
>>>
>>>      
>>>
>>-----------------------------------------------------------------------
>>-
>>---
>>Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
>>- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>>- Automatically Control P2P, IM and Spam Traffic
>>- Ensure Reliable Performance of Mission Critical Applications
>>- Precisely Define and Implement Network Security and Performance 
>>Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live 
>>Demo Visit us at:
>>http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
>>-----------------------------------------------------------------------
>>-
>>----
>>
>>
>>-----------------------------------------------------------------------
>>---- Captus Networks - Integrated Intrusion Prevention and Traffic 
>>Shaping
>>- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>>- Automatically Control P2P, IM and Spam Traffic
>>- Ensure Reliable Performance of Mission Critical Applications
>>- Precisely Define and Implement Network Security and Performance 
>>Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live 
>>Demo Visit us at:
>>http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
>>-----------------------------------------------------------------------
>>-----
>>
>>
>>
>>
>> 
>>
>>    
>>
>
>
>
>
>  
>


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

Next message: Henderson, Dennis K.: "RE: mod to "killblast.vbs" script"
Previous message: Mark Medici: "RE: Software vendor clueless"
In reply to: Bruce Martins: "RE: Increasing ICMP Echo Requests"
Next in thread: Kevin Patz: "Re: Increasing ICMP Echo Requests"
Reply: Kevin Patz: "Re: Increasing ICMP Echo Requests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 21:14:45 PDT